Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

GitLab Patches Domain Hijacking Vulnerability

Open source Git repository management system GitLab has addressed a security hole that could have been exploited to hijack users’ custom domains and point them to malicious content.

GitLab Pages is a feature that allows users to create websites for their projects, groups or user accounts, and then connect them to custom domains and TLS certificates.

Open source Git repository management system GitLab has addressed a security hole that could have been exploited to hijack users’ custom domains and point them to malicious content.

GitLab Pages is a feature that allows users to create websites for their projects, groups or user accounts, and then connect them to custom domains and TLS certificates.

White hat hackers noticed that no validation was being performed to ensure that the custom domain added to a user’s Pages site was actually theirs.

A custom domain can be added to GitLab Pages by creating a new DNS A record with an IP address for a Pages server. Since no validation was performed when adding custom domains, an attacker could have identified domains with DNS records pointing to the GitLab Pages server and hijack those domains. When users visited the hijacked domains, they would have been served content from the attacker’s repository.

The attack worked against custom domains that were deleted by users but still had the DNS records for the GitLab server active.

Two researchers reported variations of this issue to GitLab via the company’s bug bounty program on HackerOne. GitLab initially decided not to fix anything, but it started taking action after the second report was submitted.

“Attacker can create fake GitLab account(s) using the email(s) from temporary/anonymous email services. Configure fake email addresses with git for further code commits. Create multiple repositories and add domain name from the vulnerable list. The attacker can then: 1) use the static websites as Command and Control centers for their malware / for other malicious intents, 2) phish the customers / visitors of the legitimate domain owners,” one of the researchers explained in the report submitted via HackerOne.

Proof-of-concept (PoC) exploits created by the researchers revealed that there had been hundreds of vulnerable domains.

GitLab initially disabled the functionality for adding custom domains to GitLab Pages, and this week it rolled out a permanent fix by requiring users to verify ownership when adding a custom domain. Verification is done by adding a DNS TXT record containing a token provided by GitLab to the user’s domain.

Some users pointed out on Hacker News that the problem is similar to the issue that caused Let’s Encrypt last month to disable TLS-SNI-01 validation.

Related: Command Execution Flaw Affects Several Version Control Systems

Related: Hackers Can Use Git Repos for Stealthy Attack on Developers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.